登录 | 首页 -> 华新鲜事 -> 技术の宅 | 切换到:传统版 / sForum | 树形列表
极度痛苦中,求助于各位大师
<<始页  [1]  末页>> 

极度痛苦中,求助于各位大师本周一开始出现问题, 上网极慢.于是清除了所有在Temporary Internet File下的所有文件.在没有任何进展的情况下,于是怀疑中了毒, 用Trend MICRO Officescan 来扫描病毒,

结果是发现有一个好象是叫WORMS的病毒在C:\WINDOWS\SYSTEMS32\UPDATE_W.EXE,

C:\PROGRAM FILES\ISS\ISSSENSORS\DESKTOPPROTECTION\IBE\IBETEMP 里,

可是Trend Micro officescan 说了杀不了.按照它的指示,要直接删除该病毒文件,

也无法找到这两文件.


于是用Symantec AntiVirus来扫描病毒,奇怪的事发生了,

扫描的结果是没有任何病毒,心存侥幸,天真地以为病毒没了,于是重新上网,网速极慢,

长时间的空白一片.


开始怀疑了,又用Trend MICRO Officescan 来扫描病毒,更奇怪的是,结果也是没有任何病毒.

可网速依旧的极慢.现在新发现, 以前经常上的网站的网速极慢,不常上的网站的网速似乎正常.

求助,叩谢了.
[poi (8-24 23:24, Long long ago)] [ 传统版 | sForum ][登录后回复]1楼

各位大师,为什么只有看的,没有回的.请救我于水深火热之中.[poi (8-27 0:09, Long long ago)] [ 传统版 | sForum ][登录后回复]2楼

more info neededsearch for a tool called Process Explorer (from sysinternals) and check if any suspicious processes are running

failing that, since malware are getting better everyday, search for a tool called rootkit revealer (downloadable from the same site) to check the culprit.

you might have to perform these steps in safe mode (f8)
[SmellsLikeTeenSpirit (8-27 12:31, Long long ago)] [ 传统版 | sForum ][登录后回复]3楼

遇到同样的问题,最后是重装系统,然后装SP2和trend officescan另外,把service里的remote registry 禁用[山水 (8-28 14:46, Long long ago)] [ 传统版 | sForum ][登录后回复]4楼

(引用 山水:遇到同样的问题,最后是重装系统,然后装SP2和trend officescan另外,把service里的remote registry 禁用)感谢ING[poi (8-29 22:51, Long long ago)] [ 传统版 | sForum ][登录后回复]5楼

(引用 SmellsLikeTeenSpirit:more info neededsearch for a tool called Process Explorer (from sysinternals) and check if any suspicious processes are running ...)some kernel mode rootkits can even hide from process explorer.[留名 (8-30 15:02, Long long ago)] [ 传统版 | sForum ][登录后回复]6楼

(引用 留名:some kernel mode rootkits can even hide from process explorer.)ya i agreesecurity is an endless game[SmellsLikeTeenSpirit (8-30 16:52, Long long ago)] [ 传统版 | sForum ][登录后回复]7楼

(引用 SmellsLikeTeenSpirit:more info neededsearch for a tool called Process Explorer (from sysinternals) and check if any suspicious processes are running ...)恕在下实在是菜鸟,弱弱的请求具体地说明.如何search tool,如何进入safe mode. 感激涕淋.[poi (9-1 3:18, Long long ago)] [ 传统版 | sForum ][登录后回复]8楼

(引用 poi:恕在下实在是菜鸟,弱弱的请求具体地说明.如何search tool,如何进入safe mode. 感激涕淋.)sorry, no chinese input, but here are the stepsdownload [process explorer] and [rootkit revealer] from sysinternals.com

you shouldn't see any suspicious processes from tool 1. for diagnosis, you can copy and paste the list of processing running on your computer here.

for the second tool, you might need to run it in safe mode. to do that, reboot and press F8 and select Safe Mode.

for more information, refer to

http://research.microsoft.com/rootkit/

http://www.sysinternals.com/utilities/rootkitrevealer.html
[SmellsLikeTeenSpirit (9-1 9:47, Long long ago)] [ 传统版 | sForum ][登录后回复]9楼

(引用 SmellsLikeTeenSpirit:sorry, no chinese input, but here are the stepsdownload [process explorer] and [rootkit revealer] from sysinternals.com you sho...)感谢斑主大师.贴上用process explorer得到的processing runingProcess PID CPU Description Company Name
System Idle Process 0 84.07
Interrupts n/a Hardware Interrupts
DPCs n/a 0.88 Deferred Procedure Calls
System 4
smss.exe 904 Windows NT Session Manager Microsoft Corporation
csrss.exe 992 0.88 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1016 Windows NT Logon Application Microsoft Corporation
services.exe 1060 1.77 Services and Controller app Microsoft Corporation
ibmpmsvc.exe 1284
svchost.exe 1324 Generic Host Process for Win32 Services Microsoft Corporation
1XConfig.exe 3236 8021XConfig Module Intel
wmiprvse.exe 232 WMI Microsoft Corporation
svchost.exe 1416 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1564 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 3816 Automatic Updates Microsoft Corporation
EvtEng.exe 1668 EvtEng Module Intel Corporation
S24EvMon.exe 1704 Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. Intel Corporation
WLKEEPER.exe 1748 WLKEEPER Intel&reg; Corporation
svchost.exe 1820 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1948 Generic Host Process for Win32 Services Microsoft Corporation
ccSetMgr.exe 416 Common Client Settings Manager Service Symantec Corporation
ccEvtMgr.exe 440 Common Client Event Manager Service Symantec Corporation
spoolsv.exe 688 Spooler SubSystem App Microsoft Corporation
blackd.exe 820 blackd Internet Security Systems, Inc.
DefWatch.exe 840 Virus Definition Daemon Symantec Corporation
ntrtscan.exe 932 Trend Micro Inc.
BL515.EXE 1308
OfcPfwSvc.exe 984 OfcPfwSvc Trend Micro Inc.
OProtSvc.exe 1364 Ownership protocol service Intel Corporation
QCONSVC.EXE 1528 IBM Access Connections - Service Component. IBM Corp.
RapApp.exe 1676 1.77 appcomply Internet Security Systems, Inc.
RegSrvc.exe 1904 RegSrvc Module Intel Corporation
SavRoam.exe 2008 SAVRoam symantec
svchost.exe 396 Generic Host Process for Win32 Services Microsoft Corporation
Rtvscan.exe 1348 Symantec AntiVirus Symantec Corporation
tmlisten.exe 2112 Trend Micro Inc.
PccNTUpd.exe 2372 Trend Micro Inc.
TpKmpSvc.exe 2272
wdfmgr.exe 2292 Windows User Mode Driver Manager Microsoft Corporation
Vpatch.exe 2324 Virtual Patch Protection System Internet Security Systems, Inc.
lsass.exe 1072 LSA Shell (Export Version) Microsoft Corporation
ZCfgSvc.exe 2900 ZeroCfgSvc MFC Application Intel Corporation
explorer.exe 3176 Windows Explorer Microsoft Corporation
SynTPLpr.exe 3684 TouchPad Driver Helper Application Synaptics, Inc.
SynTPEnh.exe 3760 Synaptics TouchPad Enhancements Synaptics, Inc.
igfxtray.exe 3780 igfxTray Module Intel Corporation
hkcmd.exe 3792 hkcmd Module Intel Corporation
TpShocks.exe 3988 IBM Active Protection System IBM Corp.
TPHKMGR.exe 4000
TPONSCR.exe 896
TpScrex.exe 2056 ThinkPad UltraZoom IBM Corporation
rundll32.exe 4056 Run a DLL as an App Microsoft Corporation
EzEjMnAp.Exe 236 IBM ThinkPad EasyEject Support Application IBM Corp.
ibmmessages.exe 596 ibmmessages IBM
QCTRAY.EXE 764 IBM Access Connections - Taskbar Application. IBM Corp.
QCWLICON.EXE 944 IBM Access Connections - Wireless Status Icon. IBM Corp.
rundll32.exe 1192 Run a DLL as an App Microsoft Corporation
PccNTMon.exe 1516 I/O Monitor Trend Micro Inc.
iFrmewrk.exe 1876 Intel Framework MFC Application Intel Corporation
EOUWiz.exe 2396 Ease Of Use Wizard Application Intel Corporation
tfswctrl.exe 2488 Drive Letter Access Component Sonic Solutions
ccApp.exe 1208 Common Client User Session Symantec Corporation
VPTray.exe 2580 Symantec AntiVirus Symantec Corporation
ctfmon.exe 3508 CTF Loader Microsoft Corporation
msnmsgr.exe 4044 MSN Messenger Microsoft Corporation
DLG.exe 1716 Digital Line Detection BVRP Software
iexplore.exe 2896 Internet Explorer Microsoft Corporation
iexplore.exe 3732 Internet Explorer Microsoft Corporation
iexplore.exe 3256 Internet Explorer Microsoft Corporation
procexp.exe 3292 10.62 Sysinternals Process Explorer Sysinternals

Process: wmiprvse.exe Pid: 232

Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
File \Device\WMIDataDevice
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\system32
Key HKLM
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKU\S-1-5-20_CLASSES
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKCR
Key HKU\S-1-5-20_CLASSES
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKCR
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Port \RPC Control\OLEE41DBB9743004CB1A5E3046B12B1
Section \BaseNamedObjects\__R_000000000013_SMem__
Section \BaseNamedObjects\Wmi Provider Sub System Counters
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Thread wmiprvse.exe(232): 2240
Thread wmiprvse.exe(232): 2688
Thread wmiprvse.exe(232): 3996
Thread wmiprvse.exe(232): 3600
Thread wmiprvse.exe(232): 2240
Thread wmiprvse.exe(232): 3200
Thread wmiprvse.exe(232): 3600
Thread wmiprvse.exe(232): 2688
Thread wmiprvse.exe(232): 700
Token NT AUTHORITY\NETWORK SERVICE
Token NT AUTHORITY\SYSTEM
WindowStation \Windows\WindowStations\Service-0x0-3e4$
WindowStation \Windows\WindowStations\Service-0x0-3e4$
[poi (9-1 22:48, Long long ago)] [ 传统版 | sForum ][登录后回复]10楼

(引用 poi:感谢斑主大师.贴上用process explorer得到的processing runingProcess PID CPU Description Company Name System Idle Process 0 84.07 ...)嗯,只有这个比较特别, 看看能不能kill掉
BL515.EXE 1308

如果BL515不是问题所在, 那么可能就是你主贴里的 UPDATE_W.EXE, 确实是个worm

http://www.sophos.com/virusinfo/analyses/w32rbotew.html


还有你怎么同时有norton AV 和 trend micro? 一般来说 ,只能运行其中一个
[SmellsLikeTeenSpirit (9-2 0:18, Long long ago)] [ 传统版 | sForum ][登录后回复]11楼

(引用 SmellsLikeTeenSpirit:嗯,只有这个比较特别, 看看能不能kill掉 BL515.EXE 1308 如果BL515不是问题所在, 那么可能就是你主贴里的 UPDATE_W.EXE, 确实是个worm ...)已经KILL了可是情况似乎没有改善.

抱歉,又是一个菜鸟问题,http://www.sophos.com/virusinfo/analyses/w32rbotew.html 这个网站是有关worm的解释,对吗,如何可以灭了worm呢. 还有,rootkit revealer 还要运行吗.

Symantec Antivirus 是发现了worm后才安的,trend micro平时 处于Roaming Mode 状态.我也不知它们会不会同时运行.

很感激斑主对一菜鸟的帮助.可以用英文的,不必改成中文,我想输入中文很费时间的.
[poi (9-2 2:13, Long long ago)] [ 传统版 | sForum ][登录后回复]12楼

(引用 SmellsLikeTeenSpirit:嗯,只有这个比较特别, 看看能不能kill掉 BL515.EXE 1308 如果BL515不是问题所在, 那么可能就是你主贴里的 UPDATE_W.EXE, 确实是个worm ...)哈哈,系统好象恢复正常了也.太棒了,以前常去的网站都恢复到以前的网速了.终于可以不用忍受长时间的空白页面了.
真的太谢谢斑主大师了.
[poi (9-2 6:45, Long long ago)] [ 传统版 | sForum ][登录后回复]13楼

(引用 SmellsLikeTeenSpirit:嗯,只有这个比较特别, 看看能不能kill掉 BL515.EXE 1308 如果BL515不是问题所在, 那么可能就是你主贴里的 UPDATE_W.EXE, 确实是个worm ...)再谢一次[poi (9-2 6:46, Long long ago)] [ 传统版 | sForum ][登录后回复]14楼

(引用 poi:哈哈,系统好象恢复正常了也.太棒了,以前常去的网站都恢复到以前的网速了.终于可以不用忍受长时间的空白页面了. 真的太谢谢斑主大师了.)hehe, 其实到底是哪一步解决了问题?[SmellsLikeTeenSpirit (9-2 22:21, Long long ago)] [ 传统版 | sForum ][登录后回复]15楼

(引用 SmellsLikeTeenSpirit:hehe, 其实到底是哪一步解决了问题?)不太清楚.好象是kill掉BL515.EXE 1308 .目前一切正常.[poi (9-3 3:20, Long long ago)] [ 传统版 | sForum ][登录后回复]16楼

(引用 poi:不太清楚.好象是kill掉BL515.EXE 1308 .目前一切正常.)cool[SmellsLikeTeenSpirit (9-3 13:22, Long long ago)] [ 传统版 | sForum ][登录后回复]17楼


<<始页  [1]  末页>> 
登录 | 首页 -> 华新鲜事 -> 技术の宅 | [刷新本页] | 切换到:传统版 / sForum